Enter the law

But beyond the search optimization rationale, Google has another justification behind its 18 months of data retention: the law.
"While shorter retention periods are good for privacy, longer retention periods are needed for security, innovation and compliance reasons," wrote Peter Fleischer, Googles global privacy counsel, in the posting in which he announced that Google would anonymize data after 18 months.

Legal compliance is a compelling justification for data retention. The problem is, nobody seems to be able to locate the laws that Google is talking about. Google acknowledges that its data retention period is based on parameters being discussed now in the European Union as opposed to any existing laws. A Google spokesperson points to a site run by European Digital Rights that tracks legal maneuverings around data retention in the EU, providing a round-up of implementation status on a country-by-country basis. "The status is changing almost daily," she wrote in an e-mail exchange.

No doubt thats true, but the majority of data retention laws being discussed or implemented pertain to ISPs or telephony providers; only one, in Germany, appears to pertain to e-mail providers.
"I would like Google to point out specific legislation that requires a private company in the search business to retain data," said PIs Simon Davies. "I cant. Im not aware of any such law. There is data retention in Europe, but it doesnt apply to keeping search strings for 18 months. If were talking about a week, perhaps well have room for negotiation. But I suspect Google, like other major players, is on the wrong highway. Whatever techniques theyre requiring shouldnt require retention for that long a time."
Either way, Davies said, the process of data retention requires "full scrutiny."
What does Google have to say about the validity of other criticisms in the PI report? The one thing that Google grants it could do better onmaybe, if the charge is in fact legitimateis being clear on its policies.
"If were not being clear, shame on us because we should be," Wong said. "We try hard to be."
One thing privacy advocates would like to see Google do is to get a privacy czar. One of PIs complaints was that nobody at Google got back to the organization when contacted about privacy concerns.
"Google was invited to provide any data that would help its case," Davies said. "We tried to reach Google at Mountain View I suppose it would have been [in May]. Five, six days before publication of the report I called Peter Fleischer, [Googles] global privacy lead, and warned him the report was coming out and Google wasnt looking good. I asked Peter to send me anything we could take into consideration in finalizing the report, and nothing came back. Peter did ask me to come to Paris to meet, but it was a busy week. The last thing I was going to do was come to Paris to be one of 23 other organizations."
If Google had provided the PI with a response, privacy advocates say, the company likely would have come off looking a lot better in the report. They point to this omission as being an indication that the company needs a clearer path to reporting privacy issues.
"Google needs a privacy officer," said Beth Givens, director and founder of the Privacy Rights Clearinghouse, when asked what steps privacy experts believe would help Google shape up.
Google finds the notion odd, pointing not only to on-staff privacy experts Fleischer and Wong but to the product development lifecycle now in place at Google, instituted when Wong was brought on-board, in which every product launched includes on its team a lawyer trained on privacy issues who works with product development from the get-go.
The back and forth will continue for the foreseeable future, particularly given Googles proposed merger with DoubleClick. Some say that in the end its up to consumers to police the information they give to Google or to anybody, but in fact Google garners information from the simplest action as performing a search.
Consumers always have options to Google. Or, rather, when it comes to privacy, given that Yahoo and Microsoft are hardly more privacy sensitive, there is only one option: Ixquick.
Take your pick: If the choice comes down to being owned by Google and using Ixquick, given Googles overwhelming popularity, chances are that most consumers are going to put their privacy on the line.
Editors Note: This story was updated to include comments from Google.Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.

Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.